Chapter 7. Authentication/Authorization

Chapter 7. Authentication/Authorization

MidoNet API provides two ways to authenticate: username/password and
token. MidoNet uses Basic Access Authentication
[1] scheme for
username/password authentication. From the client with username 'foo'
and password 'bar', the following HTTP POST request should be sent to
'/login' path appended to the base URI:

POST /login
Authorization: Basic Zm9vOmJhcg==

where Zm9vOmJhcg== is the base64 encoded value of foo:bar.

If the API sever is configured to use OpenStack Keystone as its
authentication service, then the tenant name given in the web.xml file
will be used in the request sent to the keystone authentication service.
However, you can override this tenant name by specifying it in the
request header. :

X-Auth-Project: example_tenant_name

The server returns 401 Unauthorized if the authentication fails, and 200
if succeeds. When the login succeeds, the server sets 'Set-Cookie'
header with the generated token and its expiration data as such:

Set-Cookie: sessionId=baz; Expires=Fri, 02 July 2014 1:00:00 GMT

where 'baz' is the token and 'Wed, 09 Jun 2021 10:18:14 GM' is the
expiration date. The token can be used for all the subsequent requests
until it expires. Additionally, the content type is set to a Token json
type as such:

Content-Type: application/vnd.org.midonet.Token-v1+json;charset=UTF-8

with the body of the response set to the token information:

{"key":"baz","expires":"Fri, 02 July 2014 1:00:00 GMT"}

To send a token instead for authentication, the client needs to set it
in X-Auth-Token HTTP header:

X-Auth-Token: baz

The server returns 200 if the token is validated successfully, 401 if
the token was invalid, and 500 if there was a server error.

For authorization, if the requesting user attempts to perform operations
or access resources that it does not have permission to, the API returns
403 Forbidden in the response. Currently there are only three roles in
MidoNet:

Admin: Superuser that has access to everything

Tenant Admin: Admin of a tenant that has access to everything that
belongs to the tenant

Tenant User: User of a tenant that only has read-only access to
resources belonging to the tenant